The document analyzes the 2011 hack of RSA Security and subsequent breach of Lockheed Martin's network. It describes how hackers were able to gain access to RSA through a phishing email containing a zero-day Flash exploit. This allowed them to steal RSA's SecurID token secrets and user data. Months later, the same hackers were able to access Lockheed Martin's network using stolen SecurID credentials. The document outlines the attack methods used at each company and lessons learned, including Lockheed Martin's implementation of an internal cyber defense system called the Cyber Kill Chain to prevent future data exfiltration.

1. Information Security Research –
Analysis of RSA-Lockheed Martin
Attack
Gavin Davey B.S.c (Hons 1st), CRISC, CEH, CISA, ISO RM, CLSSP, CCNP

2. Contents
Introduction ............................................................................................................................................3
Method – Anatomy of the attack ...........................................................................................................3
Zero Day Attack – The un-plugged hole..................................................................................................4
Vulnerability time line.........................................................................................................................4
Social Engineering – How we’re played..................................................................................................4
Phishing...............................................................................................................................................4
RSA......................................................................................................................................................4
Lockheed Martin.....................................................................................................................................5
Prevention...............................................................................................................................................6
Lessons learned.......................................................................................................................................6
Appendix .................................................................................................................................................7
References ..............................................................................................................................................7

3. ANALYSIS OF RSA-LOCKHEED MARTIN ATTACK
Introduction
This report examines the unauthorized entry (hack) to RSA internal computer network which
subsequently led to the unauthorized entry to Lockheed Martin internal computer network. RSA is a
security division of EMC. RSA is a major player in the security space. SecurID, one of their biggest
selling products, is used to generate one time passcodes. They are called ‘tokens’. The key is made
up of token from the SecurID device, username and PIN. Something you have and something you
know. This is called two-factor authentication.
It is alleged, that the intruders were able to steal the ‘seeds’ or private keys for the tokens and
associated serial numbers. This then enabled them to gain access to Lockheed Martin’s network as
one of their users.
Method – Anatomy of the attack
The method used to gain access to RSA computer systems and steal data was accomplished through
a number of phases. The following details each stage of the attack:
1. Phishing – The first step in the attack was to send phishing emails with the subject line “2011
Recruitment Plan” to two small groups of employees over the course of a few days.
Unfortunately, one was interested enough to retrieve one of these messages from his or her
junk mail and open the attached Excel file. The spreadsheet contained malware that used a
previously unknown, or “zero-day” flaw in Adobe’s Flash software to install a backdoor. RSA
said that Adobe had since released a patch to fix that hole. (“The RSA Hack: How They Did It
- NYTimes.com,” 2011)
2. Lurking – Through the backdoor, a piece of software called poison ivy was installed on the
unsuspecting employee’s machine. This software allowed the hacker to communicate and
control the victim’s PC.
3. Elevating Privileges - The compromised PC could most likely be used to gain access to other
systems which allowed the hacker access other user accounts and their passwords. A system
administrator account was most likely compromised and used to access sensitive data. The
hacker main intent during this phase was to gain system administrator access due to the
elevated privileges this account has across the network.
4. Collecting – The hacker then starts to harvest the data from the target servers, silently
collecting and copying to a staging area. This is most likely achieved through simple DOS
copy commands.
5. Compression - The collected files are compressed, encrypted and added to a single archive.
6. Exfiltration – The archive is then FTP’d to a comprised server on the internet which is
controlled and accessible by the hackers.
7. Collection – From here (compromised server), the hacker collects the ex-filtrated data. After
the data has been collected, the hacker removes the data and any other record of the
transaction to cover their tracks.

4. Zero Day Attack – The un-plugged hole
A Zero day attack was necessary in order to pull this hack off. This is because a zero day attack is a
piece of malware or software used maliciously to install or run unauthorized programs on a victim’s
machine. The reason these exploits are called zero day is because the developer of the software
which is being exploited is not aware of the vulnerability and the vulnerability has not been fixed or
patched. The zero day window begins from the time the vulnerability is first exploited, to the time
the software developer develops and releases a fix for the vulnerability.
Vulnerability time line:
1. “The developer creates software containing an unknown vulnerability.
2. The attacker finds the vulnerability before the developer does (or while the developer is
aware of but has neglected or been unable to fix it).
3. The attacker writes an exploit while the vulnerability is either not known to the developer or
known but still not closed (e.g., due to an internal assessment of the threat's potential
damage costs being lower than the costs of developing a fix), usually also using and
distributing it.
4. The developer or the public becomes aware of the exploited vulnerability and the developer
is forced to start working on a fix, if not already working on one.
5. The developer releases the fix.” (wikipedia, 2014)
Social Engineering – How we’re played
Phishing
Phishing is becoming an ever increasing issue. The banking industry in particular has seen a huge
increase in losses due successful phishing attempts (online fraud). Where there’s money to be
siphoned from an account or data to be extracted, there is Phishing.
RSA
An integral part of the RSA hack entailed getting someone on the inside (RSA employee) to click on
an email link thus installing the malware on machine within the network. To make the email more
believable, some social engineering was involved. How this part of the attack was achieved was by
sending an email with a spreadsheet called “2011 Recruitment Plan” to a small group of employees
over two the course of two days. Victims for these spear phishing email attack was easily found from
publicly available information, most likely obtained through social media web sites. The reason this
particular attack is called spear phishing, is because it’s the phishing attempt is tailored for an
individual, as oppose to a generic email aimed at a mass group. (RSA, n.d.)

5. Lockheed Martin
Three months after RSA announced the news that it had been breached and its SecurID database
exposed in a sophisticated attack, defence contractor Lockheed Martin discovered an intruder in its
network using legitimate credentials.
Lockheed Martin makes fighter jets, satellites and other equipment for US military contracts.
The hackers learned how to copy the security keys with token seeds allegedly removed from RSA
after a highly sophisticated and organised hack that EMC disclosed in March. It involved phishing
emails into EMC, key logging and data extraction.
If hackers have access to the seeds for the tokens assigned to various companies, they might be able
to generate the pseudo-random numbers of one of its tokens, allowing them to clear a crucial hurdle
in breaching the company's security. The second thing they need is also a 4 – 8 digit PIN and the
username.
Other possibilities include the theft of source code that gives attackers a blueprint of vulnerabilities
to exploit, or the theft of private cryptographic keys that might allow them to imitate RSA servers or
register new employee tokens.
The imposter was using valid credentials of one of Lockheed's 3rd party suppliers, including the
user's SecurID token. It soon became obvious that this user wasn't performing his or her normal
operations. IS staff were alerted by the nature of access this user was attempting. It was out of the
normal realm of the user.
Then weeks after this, followed with malware and phishing campaigns seeking specific data that
would link tokens to end-users, which meant the current attacks may have been carried out by the
same hackers.
This was also followed by malware and phishing campaigns seeking to ascertain User IDs and PINs in
use by Lockheed. This hinted that the same RSA hackers were trying to link specific token serial
numbers with user names and PINs of Lockheed employees.
Lockheed's network is huge and they are a huge target for attacks which is the reason they are
unsure of the exact details.
 3 million IP addresses
 123, 000 employees
 570 locations
 60 countries
 $45.8 billion
 45, 000 RSA tokens

6. Prevention
So Lockheed launched its home grown Cyber Kill Chain framework, a process that basically tracks an
intruder's movements and throws barriers in the way of each attempt to siphon data out of the
network.
This system cost millions to develop and implement. It was implemented to try and stop advance
persistent threats. The system is aimed at stopping hackers retrieving data after a breach. The goal is
to prevent data leaving the network during a hack.
The main method employed by the Kill Chain system is an intelligence driven defence. It uses a
combination of signatures, anomaly based detection, statistical signatures and artificial intelligence.
The ultimate goal is to block the exfiltration part of a hack.
Lessons learned
Companies should adopt a policy of ‘least privilege’. Only assign rights to users that allow them
access to as little as possible while doing their job.
The fact that RSA was hacked first in order to get into Lockheed Martin and other US defence
contracts indicates a very advanced level of threat.
People are the weakest factor in security. Training and awareness should be made a key priority.
Monitor systems for public addresses from unusual locations. Geo locate for example and monitor
logs for firewall and VPN access. Should public IP addresses from certain countries be appearing in
your logs?
An attacker who is in possession of the "seed" values of your SecurID tokens still has to guess the
userid and PIN to get a successful login.
Check RSA audit logs for;
AUTH_FAILED_BAD_PIN_GOOD_TOKENCODE.
A lot of these occur in everyday normal use. But if you see a couple per user and then user
enumeration attempts then scrutiny is required.
AUTH_PRINCIPAL_RESOLUTION / AUTH_ALIASES_NOT_FOUND
This will appear for user that does not exist. This also happens everyday but if the format od typical
user names is way off then more investigation is needed.

7. Irrespective of the recent RSA/Lockheed hack, a certain audit log entry should be verified.
NEW_STATIC_PCODE_AUTH_SUCCESS
This is from a first use new token, lost password and a static password has been set. It is normal for
fist time use. This is two password authentication as opposed to two factor authentication. It means
people are accessing without a token.
Appendix
FTP: File Transfer Protocol (FTP) is a standard network protocol used to transfer files from one host
to another host over a TCP-based network, such as the Internet.
Poison Ivy: A remote administration utility which bypasses normal security mechanisms to secretly control a
program, computer or network.
Malware: Malware, short for malicious software, is software used to disrupt computer operation,
gather sensitive information, or gain access to private computer systems.
References
RSA, n.d. anatomy-of-an-attack/. [Online]
Available at: https://blogs.rsa.com/anatomy-of-an-attack/
[Accessed 15 February 2014].
wikipedia, 2014. Zero-day_attack. [Online]
Available at: http://en.wikipedia.org/wiki/Zero-day_attack
[Accessed 19 February 2014].
The RSA Hack: How They Did It - NYTimes.com. (2011). Retrieved February 14, 2014, from
http://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-
it/?_php=true&_type=blogs&_php=true&_type=blogs&_r=1
Isc.sans.edu. 2014. Lockheed Martin and RSA Tokens - Internet Security | SANS ISC. [online]
Available at: https://isc.sans.edu/forums/diary/Lockheed+Martin+and+RSA+Tokens/10939
[Accessed: 12 Feb 2014].
Channelinsider.com. 2014. Eight RSA SecurID Alternatives - Security news from Channel Insider.
[online] Available at: http://www.channelinsider.com/c/a/Security/Eight-RSA-SecurID-Alternatives-
156893/ [Accessed: 20 Feb 2014].